Scammers Steal Millions of Crypto, Bank Details and Gaming Accounts from Pakistanis

Group-IB, one of the global leaders in cybersecurity, has identified 34 Russian-speaking groups that are distributing info-stealing malware under the stealer-as-a-service model. The cybercriminals mainly use ‘Racoon’ and ‘Redline’ stealers to obtain passwords for gaming accounts on Steam and Roblox, credentials for Amazon and PayPal, as well as users’ payment records and crypto wallet information.

In the first seven months of 2022, the gangs collectively infected over 890,000 user devices and stole over 50 million passwords. All the identified groups orchestrate their attacks through Russian Telegram groups, although they mainly target users in the United States, Brazil, India, Germany, and Indonesia. In 2022, info-stealing malware has grown into one of the most serious digital threats.

Classiscam graduates

By tracking the evolution of the popular scam scheme ClassiscamGroup-IB Digital Risk Protection analysts revealed how some “workers” (low-rank online scammers) started shifting to a more dangerous criminal scheme that involves distributing info stealers. Moreover, the illicit business of stealers, which is coordinated via Telegram groups, uses exactly the same operational model as Classiscam.

An info stealer is a type of malware that collects credentials stored in browsers (including gaming accounts, email services, and social media), bank card details, and crypto wallet information from infected computers, and then sends all this data to the malware operator. After a successful attack, the scammers either obtain money themselves using the stolen data or sell the stolen information in the cybercriminal underground. According to Group-IB, stealers are one of the top threats to watch in the coming year. The threat actor responsible for the most recent attack on Uber purchased the credentials compromised with the Racoon stealer.

According to the Group-IB Digital Risk Protection team, (part of the Unified Risk Platform), the mass Telegram groups and bots designed to distribute info stealers first appeared in early 2021. By investigating a number of accounts, Group-IB analysts were able to confirm that members of several scam groups that previously participated in the Classiscam scheme began using stealers. In 2021 and 2022, Group-IB experts identified 34 active groups on Telegram. On average, such info-stealer distribution groups have around 200 active members.

The most popular stealer among the groups examined by Group-IB is RedLine, which is used by 23 out of 34 gangs. Racoon ranks second: 8 groups employ this tool. Custom stealers are used in 3 communities. Administrators usually give workers both RedLine and Racoon in exchange for a share of the stolen data or money. However, the malware in question is offered for rent on the dark web for $150-200 per month. Some groups use 3 stealers at the same time, while others have only one stealer in their arsenal.

Having switched from scamming users of classified websites to stealers, some threat actors reproduced not only the hierarchy and model of Classiscam but also its technical capabilities. In particular, Telegram bots generate malicious content, communication between members, and all their shady accounting.

The tasks of workers, the scammers of the lower ranks, have also changed. They must now drive traffic to bait scam websites impersonating well-known companies and convincing victims to download malicious files. Cybercriminals embed links for downloading stealers into video reviews of popular games on YouTube, into mining software or NFT files on specialized forums and direct communication with NFT artists, and into lucky draws and lotteries on social media.

World tour

Group-IB estimates that between March 1 (when Group-IB started researching the scheme) and December 31, 2021, stealers operated via Telegram groups were able to compromise 538,000 devices. In the first 7 months of 2022, they were found to be almost twice more active infecting more than 890,000 devices in 111 countries.

The top 5 most often attacked countries in 2022 were the United States, Brazil, India, Germany, and Indonesia with 91,565, 86,043, 53,988, 40,750, and 35,345 infected devices respectively.

In Pakistan, for instance, last year (March – December 2021), the operators of the stealers in question infected 5,390 devices. In the first seven months of 2022, the number grew to 16,591. From these devices, the scammers were able to retrieve 1,432,825 passwords (up from 226,213 from March-December 2021), 1,122 sets of payment records, and 1,494 sets of crypto wallet information such as credentials, seed phrases, etc.

According to the analysis of Telegram groups, for the last 10 months of 2021 cybercriminals collected 27,875,879 sets of passwords, 1,215,532,572 cookie files, 56,779 sets of payment records, and data from 35,791 crypto wallets. In the first 7 months of 2022, threat actors stole 50,352,518 passwords, 2,117,626,523 cookie files, details of 103,150 bank cards, and data from 113,204 crypto wallets. The underground market value of just the stolen logs and compromised card details is around $5.8 million, Group-IB experts estimate.

According to Group-IB, in 2021, threat actors worldwide most frequently collected PayPal account credentials (more than 25%) and Amazon credentials (more than 18%). In 2022, the most targeted services are the same, namely PayPal (more than 16%) and Amazon (more than 13%). However, over the course of the year, cases of stealing passwords for gaming services (Steam, Epic Games, Roblox) in the logs have increased almost five-fold.

 Sharef Hall, Head of Group-IB’s Digital Risk Protection Analytics Team in Dubai said:

The influx of a huge number of workers into the popular scam Classiscam — which Group-IB’s Unified Risk Platformidentified, at its peak, comprised over a thousand criminal groups and hundreds of thousands of fake websites — has led to criminals competing for resources and looking for new ways to make profits.

The popularity of schemes involving stealers can be explained by the low entry barrier. Beginners do not need to have advanced technical knowledge as the process is fully automated and the worker’s only task is to create a file with a stealer in the Telegram bot and drive traffic to it. For victims whose computers become infected with a stealer, however, the consequences can be disastrous.

To minimize potential risks, Group-IB Digital Risk Protection experts recommend that users refrain from downloading software from suspicious sources, use isolated virtual machines or alternative operating systems for installation, avoid saving passwords in browsers, and regularly clear browser cookies. To prevent digital risks and unwanted consequences, companies should take a proactive approach to their brand’s digital security and use modern technologies for monitoring and response, such as Group-IB’s Digital Risk Protection.



close
>